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Overview 

Mobile  code  provides  a  convenient,  efficient,  and  economical  way  to  extend 
the  functionality  and  improve  the  performance  of  networked  computing  sys¬ 
tems.  It  is  an  approach  that  has  been  widely  embraced,  as  evidenced  by 
today’s  operating  systems,  web  browsers,  and  applications  with  their  sup¬ 
port  for  “plug-and-play”.  Javascript,  downloaded  helper  applications,  and 
executable  attachments.  Yet  today’s  security  architectures  provide  poor 
protection  from  faulty,  much  less  from  malicious,  extensions.  Our  informa¬ 
tion  systems  are  thus  increasingly  susceptible  to  attacks — attacks  that  can 
have  devastating  consequences. 

This  project  is  investigating  programming  language  technology — program 
analysis  and  program  rewriting — for  defending  software  systems  against  at¬ 
tacks  from  mobile  code  and  system  extensions.  The  approach  promises  to 
support  a  wide  range  of  flexible,  fine-grained  access-control  and  information- 
flow  policies.  Only  a  small  trusted  computing  base  seems  to  be  required. 
And  the  run-time  costs  of  enforcement  should  be  low. 

Our  progress  over  the  past  year  is  summarized  below.  Details  can  be 
found  in  the  publications  whose  citations  are  given  following  all  the  sum¬ 
maries.  A  list  of  DoD  interactions  and  technology  transitions  appears  at  the 
end  of  the  report. 
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In-lined  Reference  Monitors 


In-lined  reference  monitors  are  a  new  approach  to  implementing  traditional 
reference  monitors.  A  desired  end-to-end  security  policy  is  formulated  using 
a  high-level  declarative  policy  language.,  and  then  a  rewriting  tool  is  used 
to  automatically  rewrite  untrusted  code  into  code  that  respects  the  policy. 
The  rewriting  tool  works  by  inserting  extra  state  and  dynamic  checks  into 
the  untrusted  code  so  that  the  code  becomes  self-monitoring. 

Over  the  past  year,  we  made  progress  towards  understanding  issues  as¬ 
sociated  with  the  deployment  of  IRMs  in  a  production  operating  system. 
A  set  of  kernel  modifications  was  developed  to  support  a  prototype  IRM 
rewriter  in  Microsoft’s  Windows.  This  work  seems  to  suggest  the  need  for 
mechanism  to  identify  which  policy  is  applied  to  any  given  executable  and 
for  mechanism  to  manage  multiple  executables  (each  enforcing  a  different 
policy).  For  example,  .NET  caches  dll’s  (executables),  and  the  architecture 
for  how  that  cache  is  managed  needs  to  work  differently  when  the  same 
dll  could  have  been  rewritten  in  multiple  ways  (to  enforce  one  or  another 
different  policies). 

In  addition,  a  prototype  MSIL  (Microsoft  Intermediate  language)  in- 
lined  reference  monitor  (IRM)  realization  is  now  operational.  It  imple¬ 
ments  an  aspect-oriented  programming  metaphor  for  MSIL  assembly  lan¬ 
guage  (rather  than  for  a  high-level  language).  An  aspect-oriented  program 
comprises  aspects,  each  of  which  consists  of  a  point-cut  and  some  advice. 
The  point-cut  is  a  predicate  that  specifies  where  to  do  rewriting  in  target 
code,  and  the  advice  specifies  how  to  do  the  rewriting.  Designing  a  point-cut 
language  that  provides  complete  visibility  at  a  high-level  into  an  assembly 
language  is  an  interesting  challenge;  we  plan  next  to  turn  our  attention  to 
this. 


Cyclone  Compiler 

Today,  our  computing  and  communications  infrastructure  is  built  using  un¬ 
safe,  error-prone  languages  such  as  C  or  C-f- H  where  buffer  overruns,  for¬ 
mat  string  errors,  and  space  leaks  are  not  only  possible,  but  frighteningly 
common.  In  contrast,  type-safe  languages,  such  as  Java,  Scheme,  and  ML, 
ensure  that  such  errors  either  cannot  happen  (through  static  type-checking 
and  automatic  memory  management)  or  at  least  are  caught  at  the  point  of 
failure  (through  dynamic  type  and  bound  checks.)  This  fail-stop  guarantee 
is  not  a  total  solution,  but  it  does  isolate  the  effects  of  failures,  facilitates 
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testing  and  determination  of  the  true  source  of  failures,  and  enables  tools 
and  methodologies  for  achieving  greater  levels  of  assurance. 

The  obvious  question  is:  “Why  don’t  we  re-code  our  infrastructure  us¬ 
ing  type-safe  languages?”  Though  such  a  technical  solution  looks  good  on 
paper,  the  cost  is  simply  too  large.  For  instance,  today’s  operating  systems 
consist  of  tens  of  millions  of  lines  of  code.  Throwing  away  all  of  that  C  code 
and  reimplementing  it  in,  say  Java,  is  simply  too  expensive,  and  in  some 
situations,  not  even  possible. 

An  alternative  approach  is  to  try  to  adapt  safe  language  technology  to 
legacy  C  and  C-l— f-  systems.  The  ideal  solution  should: 

•  catch  most  errors  at  compile  time, 

•  give  a  fail-stop  guarantee  at  run  time,  and 

•  scale  to  millions  of  lines  of  code 
while  simultaneously: 

•  minimizing  the  cost  of  porting  the  code  from  C/C-b- 1-, 

•  interoperating  with  legacy  code, 

•  giving  programmers  control  over  low-level  details  needed  to  build  sys¬ 
tems. 

As  a  step  towards  these  goals,  we  have  been  developing  Cyclone,  a  type- 
safe  programming  language  that  can  be  roughly  characterized  as  a  “superset 
of  a  subset  of  C.”  The  type  system  of  Cyclone  accepts  many  C  functions 
without  change  and  uses  the  same  data  representations  and  calling  conven¬ 
tions  as  C  for  a  given  type  constructor.  It  also  rejects  many  C  programs  to 
ensure  safety.  For  instance,  it  rejects  programs  that  perform  (potentially) 
unsafe  casts,  that  use  unions  of  incompatible  types,  that  (might)  fail  to  ini¬ 
tialize  a  location  before  using  it,  that  use  certain  forms  of  pointer  arithmetic, 
or  that  attempt  to  do  certain  forms  of  memory  management. 

All  of  the  analyses  used  by  Cyclone  are  local  (i.e.,  intra-procedural)  so 
we  can  ensure  scalability  and  separate  compilation.  The  analyses  have  also 
been  carefully  constructed  to  avoid  unsoundness  in  the  presence  of  threads. 
The  price  paid  is  that  programmers  must  sometimes  change  type  definitions 
or  prototypes  of  functions,  and  occasionally  they  must  rewrite  code. 

We  find  that  programmers  must  touch  about  10%  of  the  code  when 
porting  from  C  to  Cyclone.  Most  of  the  changes  involve  choosing  pointer 
representations  and  only  a  very  few  involve  region  annotations  (around  0.6 
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%  of  the  total  changes.)  In  the  future,  we  hope  to  minimize  this  burden  by 
providing  a  porting  tool  that  utilizes  a  more  global  analysis  to  determine 
the  appropriate  representation. 

The  performance  overhead  of  the  dynamic  checks  depends  upon  the  ap¬ 
plication.  For  systems  applications,  such  as  a  simple  web  server,  we  see  no 
overhead  at  all.  This  is  not  surprising,  as  these  applications  tend  to  be  I/O- 
bound.  For  scientific  applications,  we  see  a  much  larger  overhead  (around  5x 
for  a  naive  port,  and  3x  with  an  experienced  programmer).  We  believe  much 
of  this  overhead  is  due  to  bounds  and  null  pointer  checks  on  array  access. 
We  have  incorporated  a  simple,  intra-procedural  analysis  to  eliminate  many 
of  those  checks  and  indeed,  this  results  in  a  marked  improvement.  However, 
some  of  the  overhead  is  also  due  to  the  use  of  “fat  pointers”  and  the  fact 
that  GCC  does  not  always  optimize  struct  manipulation.  By  unboxing  the 
structs  into  variables,  we  may  find  a  marked  improvement. 


Secure  Program  Partitioning 

Our  secure  •program  partitioning  provides  the  means  to  ensure  that  data 
confidentiality  and  integrity  are  preserved  in  distributed  systems  that  con¬ 
tain  untrusted  hosts  and  mutually  distrusting  principals.  This  problem  is 
particularly  relevant  to  information  systems  used  by  mutually  distrusting 
organizations,  such  as  the  dynamic  coalitions  that  arise  in  military  settings. 

In  our  approach,  programs  are  automatically  partitioned  into  communi¬ 
cating  subprograms  that  run  on  the  available,  partially  trusted  hosts.  The 
partitioning  automatically  extracts  a  secure  communications  protocol,  and  if 
any  host  is  subverted,  then  only  principals  that  have  explicitly  stated  trust 
in  that  host  need  fear  a  violation  of  confidentiality.  That  is,  for  a  given 
principal  p,  the  partitioned  program  we  create  is  robust  against  attacks  on 
hosts  not  trusted  by  p.  To  protect  data  integrity,  information  and  code  are 
also  replicated  across  the  available  hosts. 

We  have  implemented  these  techniques  in  Jif/split,  an  extension  to  our 
publicly  released  Jif  compiler  that  statically  enforces  information  flow  con¬ 
trol,  in  conjunction  with  a  distributed  run-time  system  that  securely  exe¬ 
cutes  partitioned  programs  while  guarding  against  subverted  or  malicious 
hosts.  New  protocols  had  to  be  developed  in  order  to  permit  secure  transfer 
of  control  between  one  group  of  host  replicas  and  another.  And  to  under¬ 
stand  the  practicality  of  our  approach,  secure  distributed  systems  have  been 
implemented  using  Jif/split,  including  various  secure  auction  protocols.  Per¬ 
formance  of  the  system  is  quite  reasonable,  despite  the  fine-grained  program 
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paxtitioning. 
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DoD  Interactions  and  Technology  Transitions 

•  Schneider  chaired  a  study  for  DARPA  IPTO  Program  Manager  Jay 
Lala  on  promising  research  directions  for  Self-Healing  Networked  In¬ 
formation  Systems. 

•  Morrisett  and  Schneider  continue  working  with  Microsoft  on  develop¬ 
ing  a  .NET  version  of  our  in-lined  reference  monitor  (IRM)  approach 
to  security-policy  enforcement.  Next  Fall,  Cornell  graduate  student 
Kevin  Hamlen  will  spend  a  semester  visiting  Microsoft  Research  (in 
Cambridge,  England).  The  MSIL  rewriter  we  have  developed  uses 
some  software  developed  there,  and  this  visit  will  speed  the  implemen¬ 
tation  of  our  new  IRM  tool. 

•  Researchers  at  Carnegie-Mellon  University,  Princeton  University,  Uni¬ 
versity  of  California  (Riverside),  University  of  Newcastle-Upon-Tyne, 
and  Intel  Research  are  all  now  building  on  PoET/PSLang  IRM  tools 
developed  by  Schneider  and  collaborators. 

•  Further  public  releases  of  Myers’  Jif  compiler  have  been  made  available 
at  the  Jif  web  site,  http://www.cs.cornell.edu/jif.  The  Jif  language 
extends  the  Java  programming  language  with  support  for  information 
flow  control.  The  Jif  compiler  is  implemented  on  top  of  the  Polyglot  ex¬ 
tensible  compiler  framework  for  Java.  The  Polyglot  framework  has  also 
been  released  publicly  at  http://www.cs.cornell.edu/projects/polyglot. 
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and  researchers  at  Princeton  University  are  using  this  framework  in 
their  own  research.  The  releases  of  both  Jif  and  Polyglot  are  provided 
as  Java  source  code  and  work  on  Unix  and  Windows  platforms. 

•  AT&T  research  is  working  with  us  to  develop  the  Cyclone  language, 
compiler,  and  tools.  In  addition,  researchers  at  the  University  of 
Maryland,  the  University  of  Utah,  Princeton,  and  the  University  of 
Pennsylvania,  and  Cornell  are  all  using  Cyclone  to  develop  research 
prototypes. 
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